undefined | Better HN

0 pointsmardifoufs5y ago0 comments

If I had to guess, the attackers probably didn't even need twitter employees to have direct access to the accounts. If support tools allow Twitter support staff to change a user's email (which would make more sense, but still be extraordinarily unsecure), you basically get full access to the accounts the moment you get control over those tools. It would also explain why all the account emails seem to have been changed.

But even then, that there is no system to detect mass modifications and no delay before the changes take place is incredible. Unless they were able to social engineer their way into multiple employee's accounts to avoid detection, which would be an incredibly bad problem by itself.

Twitter seems to have a shaky history when it comes to limiting employee access to account info.

0 comments

2 comments · 2 top-level

scoutt5y ago

"Hello? Twitter support? Yes, I want to change my email address. I'm Elon Musk."

blisseyGo5y ago

I am really doubtful they were able to change the email and phone of so many celebrities and powerful people at the same time by phone. Twitter stated "social engineering" but I don't think this was for changing emails and phones of each person one by one.

j / k navigate · click thread line to collapse